A number of cross-site scripting (XSS) security vulnerabilities were discovered in the web-based installer (config/index.php). These vulnerabilities all require a live installer -- once the installer has been used to install a wiki, it is deactivated.

Note that cross-site scripting vulnerabilities can be used to attack any website in the same cookie domain. So if you have an uninstalled copy of MediaWiki on the same site as an active web service, MediaWiki could be used to attack the active service.

If you are hosting an old copy of MediaWiki that you have never installed, you are advised to remove it from the web.

David Remahl of Apple's Product Security team has identified a number of security issues in previous releases of MediaWiki. Subsequent analysis by the MediaWiki development team expanded the scope of these vulnerabilities. The issues with a significant impact are as follows:

A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki installations since the feature was introduced in 1.3.0. [CVE-2008-5252]

A local script injection vulnerability allows an attacker with a wiki account to steal another user's login session, and to act as that user on the wiki. The attacker uploads a malicious script file, and tricks the victim into executing it.

CSRF vulnerabilities allow an attacker to act as an authorised user on the wiki, but unlike an XSS vulnerability, the attacker can only act as the user in a specific and restricted way. The present CSRF vulnerability allows pages to be edited, with forged revision histories. Like an XSS vulnerability, the authorised user must visit the malicious web page to activate the attack.

These three vulnerabilities are all fixed in this release.

David Remahl also reminded us of some security-related configuration issues:

By default, MediaWiki stores a backup of deleted images in the images/deleted directory. If you do not want these images to be publically accessible, make sure this directory is not accessible from the web. MediaWiki takes some steps to avoid leaking these images, but these measures are not perfect.

Set display_errors=off in your php.ini to avoid path disclosure via PHP fatal errors. This is the default on most shared web hosts.

Enabling MediaWiki's debugging features, such as $wgShowExceptionDetails, may lead to path disclosure.

Other changes in this release:

Avoid fatal error in profileinfo.php when not configured.

Add a .htaccess to deleted images directory for additional protection against exposure of deleted files with known SHA-1 hashes on default installations.

MediaWiki is now using a "continuous integration" development model with quarterly snapshot releases. The latest development code is always kept "ready to run", and in fact runs our own sites on Wikipedia.

Release branches will continue to receive security updates for about a year from first release, but nonessential bugfixes and feature developments will be made on the development trunk and appear in the next quarterly release.

Those wishing to use the latest code instead of a branch release can obtain it from source control: Download from SVN.

This is a release candidate of the Winter 2008 quarterly snapshot release of MediaWiki.

MediaWiki is now using a "continuous integration" development model with quarterly snapshot releases. The latest development code is always kept "ready to run", and in fact runs our own sites on Wikipedia.

Release branches will continue to receive security updates for about a year from first release, but nonessential bugfixes and feature developments will be made on the development trunk and appear in the next quarterly release.

Those wishing to use the latest code instead of a branch release can obtain it from source control: Download from SVN.

Marking edits as bot edits with Special:Contributions?bot=1 now requires the markbotedit permission, rather than the rollback permission previously used. This permission is assigned by default to the sysop group.

MediaWiki now checks if serialized files are out of date. New configuration variable $wgCheckSerialized can be set to false to enable old behavior (i.e. to not check and assume they are always up to date).

The rollback permission can now be rate-limited using the normal mechanism.

When $wgUseTidy has been enabled, PHP's Tidy module is now used if it is present, in preference to an external Tidy executable which may or may not be present. To force use of external Tidy even when the PHP module is available, set $wgTidyInternal to false.

(bug 12655) Added $wgUserEmailUseReplyTo config option to put sender address in Reply-To instead of From for user-to-user emails. This protects against SPF problems and privacy-leaking bounce messages when using mailers that set the envelope sender to the From header value.

Merged backends for OpenSearch suggestions and AJAX search. Both now accept namespace prefixes, handle 'Media:' and 'Special:' pages, and reject interwiki prefixes. PrefixSearch class centralizes this code, and the backend part can be overridden by the PrefixSearchBackend hook.

(bug 11952) Ensure we quote_ident() all schema names as needed inside of the DatabasePostgres.php file.

(bug 12184) Exceptions now sent to stderr instead of stdout for command-line scripts, making for cleaner reporting during batch jobs. PHP errors will also be redirected in most cases on PHP 5.2.4 and later, switching 'display_errors' to 'stderr' at runtime.

(bug 12567) Fix for misformatted read-only messages on edit, protect. Also added proper read-only checks to several special pages. Have removed read-only checks from the general user permission framework.

Creating a site with a name containing '#' is no longer permitted, since the name will not work (but $wgSiteName is not checked if manually set).

The main effect of this for the user is that the rules for uncovered syntax have changed.

Uncovered main-pass syntax, such as HTML tags, are now generally valid, whereas previously in some cases they were escaped. For example, you could have "<ta" in one template, and "ble>" in another template, and put them together to make a valid <table> tag. Previously the result would have been "<table>".

Uncovered preprocessor syntax is generally not recognized. For example, if you have "{{a" in Template:A and "b}}" in Template:B, then "{{a}}{{b}}" will be converted to a literal "{{ab}}" rather than the contents of Template:Ab. This was the case previously in HTML output mode, and is now uniformly the case in the other modes as well. HTML-style comments uncovered by template expansion will not be recognized by the preprocessor and hence will not prevent template expansion within them, but they will be stripped by the following HTML security pass.

Bug 5678 has been fixed. This has a number of user-visible effects related to the removal of this double-parse. Please see the wiki page for examples.

Message transformation mode has been removed, and replaced with "preprocess" mode. This means that some MediaWiki namespace messages may need to be updated, especially ones which took advantage of the terribly counterintuitive behavior of the former message mode.

The header identification routines for section edit and for numbering section edit links have been merged. This removes a significant failure mode and fixes a whole category of bugs (tracked by bug #4899). Wikitext headings uncovered by template expansion will still be rendered into a heading tag, and will get an entry in the TOC, but will not have a section edit link. HTML-style headings will also not have a section edit link. Valid wikitext headings present in the template source text will get a template section edit link. This is a major break from previous behavior, but I believe the effects are almost entirely beneficial.

The main motivation for making these changes was performance. The new two-pass preprocessor can skip "dead branches" in template expansion, such as unfollowed #switch cases and unused defaults for template arguments. This provides a significant performance improvement in template-heavy test cases taken from Wikipedia. Parser function hooks can participate in this performance improvement by using the new SFH_OBJECT_ARGS flag during registration.

The pre-expand include size limit has been removed, since there's no efficient way to calculate such a figure, and it would now be meaningless for performance anyway. The "preprocessor node count" takes its place, with a generous default limit.

The context in which XML-style extension tags are called has changed, so extensions which make use of the parser state may need compatibility changes.

The new preprocessor syntax has been documented in Backus-Naur Form at Preprocessor ABNF.

The ExpandTemplates extension now has the ability to generate an XML parse tree from wikitext source. This parse tree corresponds closely to the grammar documented on that page.

1.12 has several database changes since 1.11, and will not work without schema updates.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure new database fields are filled with data.

If upgrading from before 1.11, and you are using a wiki as a commons repository, make sure that it is updated as well. Otherwise, errors may arise due to database schema changes.

If you are upgrading from MediaWiki 1.4.x or earlier, some major database changes are made, and there is a slightly higher chance that things could break. Don't forget to always back up your database before upgrading!

Some output, particularly involving user-supplied inline HTML, may not produce 100% valid or well-formed XHTML output. Testers are welcome to set $wgMimeType = "application/xhtml+xml"; to test for remaining problem cases, but this is not recommended on live sites. (This must be set for MathML to display properly in Mozilla.)

Documentation for both end-users and site administrators is currently being built up on this wiki, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain): see Documentation.